From 9ce044175ceb660bfff8c034273cb71edcacd588 Mon Sep 17 00:00:00 2001
From: Matthew Gregan <kinetik@flim.org>
Date: Mon, 21 Jun 2010 12:05:41 +1200
Subject: [PATCH] Bug 573405 - Check Theora frame sizes before initializing
 decoder.  Also, check frame region size as well as picture region size. 
 r=roc

---
 content/media/ogg/nsOggCodecState.cpp | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/content/media/ogg/nsOggCodecState.cpp b/content/media/ogg/nsOggCodecState.cpp
index bc7d50ae7c2..a8cf4f3a24b 100644
--- a/content/media/ogg/nsOggCodecState.cpp
+++ b/content/media/ogg/nsOggCodecState.cpp
@@ -166,10 +166,6 @@ nsTheoraState::~nsTheoraState() {
 PRBool nsTheoraState::Init() {
   if (!mActive)
     return PR_FALSE;
-  mCtx = th_decode_alloc(&mInfo, mSetup);
-  if (mCtx == NULL) {
-    return mActive = PR_FALSE;
-  }
 
   PRInt64 n = mInfo.fps_numerator;
   PRInt64 d = mInfo.fps_denominator;
@@ -190,8 +186,16 @@ PRBool nsTheoraState::Init() {
   mPixelAspectRatio = (n == 0 || d == 0) ?
     1.0f : static_cast<float>(n) / static_cast<float>(d);
 
-  // Ensure the frame isn't larger than our prescribed maximum.
+  // Ensure the frame region isn't larger than our prescribed maximum.
   PRUint32 pixels;
+  if (!MulOverflow32(mInfo.frame_width, mInfo.frame_height, pixels) ||
+      pixels > MAX_VIDEO_WIDTH * MAX_VIDEO_HEIGHT ||
+      pixels == 0)
+  {
+    return mActive = PR_FALSE;
+  }
+
+  // Ensure the picture region isn't larger than our prescribed maximum.
   if (!MulOverflow32(mInfo.pic_width, mInfo.pic_height, pixels) ||
       pixels > MAX_VIDEO_WIDTH * MAX_VIDEO_HEIGHT ||
       pixels == 0)
@@ -199,6 +203,11 @@ PRBool nsTheoraState::Init() {
     return mActive = PR_FALSE;
   }
 
+  mCtx = th_decode_alloc(&mInfo, mSetup);
+  if (mCtx == NULL) {
+    return mActive = PR_FALSE;
+  }
+
   return PR_TRUE;
 }